The Bagle deluge continues with new additions to this rapidly growing family of mass-mailers

18 March 2004

In addition to W32/Bagle.Q@mm that was discovered this morning,
three new Bagle variants (R, S and T) have emerged in the course
of the day. These variants are similar to Bagle.Q (see below).

W32/Bagle.Q@mm, the newest member of the Bagle family of mass-mailing
worms, was first discovered early on 18 March 2004. Bagle.Q takes advantage
of a security flaw in Microsoft Internet Explorer that was reported in
Microsoft Security Bulletin MS03-040
on 3 October 2003 and against which users can patch by using the updates found in
Microsoft Knowledge Base Article 828750.
Note that Outlook and Outlook Express use Internet Explorer to render HTML-based e-mail
messages so the security flaw applies indirectly to those products as well.

Bagle.Q is a mass-mailer that spreads by harvesting e-mail addresses from the infected
computer's hard drive and sends e-mails with falsified FROM: addresses to these
harvested addresses, using its own SMTP engine. The worm also attempts to spread via
file-sharing sites by copying itself to folders with "shar" in their names.

This newest variant differs from its predecessors in that it does not send itself as a
binary attachment via e-mail. Instead, it sends out e-mail that takes advantage of
the vulnerability mentioned above by launching a Visual Basic script that causes
Outlook and Outlook Express to download the worm from the remote site.

After updating the virus signature files, users should scan their whole system
with the F-Prot Antivirus OnDemand scanner to ensure that their computer security
was not compromised before the virus signature files were updated.